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REAL PARTY IN INTEREST 



The real party m interest i n t his appeal i s t he following p arty: International B usiness M achines 
Corporation (IBM), having a place of business at Armonk, New York 10504. 
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RELATED APPEALS AND INTERFERENCES 



With respect to other appeals ot interferences that will directly affect, or be directly affected by, or 
have a bearing on the Board's decision in the .pending appeal, there axe no such appeals or 
interferences. 
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STATUS OF CLAIMS 

A. TOTAL NUMBER OF CLAIMS IN APPLICATION 

Claims in the application are: 1-38 

B. STATUS OF ALL THE CLAIMS IN APPLICATION 

1. Claims canceled: 10-16, 30-36, and 38 

2. Claims withdrawn from consideration but not canceled: NONE 

3. Claims pending: 1-9, 17-29, and 37 

4. Claims allowed: NONE 

5. Claims rejected: 1-9, 1 7-29, and 37 

C. CLAIMS ON APPEAL 

The claims on appeal are: 1-9, 17-29, and 37 
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STATUS OF AMENDMENTS 
No amendments have been submitted since the final office action was issued. 
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SUMMARY OF CLAIMED SUBJECT MATTER 



A. CLAIM 1 - INDEPENDENT 

The subject matter of claim I is directed to a method for providing access to resources 
within a data processing system. The first part of the method is shown in Figure 5, which is 
discussed in the application from page 13, line 14 through page 1.4, line 6; the second part of the 
method is shown in Figure 6, which is discussed in the application on page 14, lines 7-20. The 
method comprises the data processing system implemented steps of: 

• receiving a request from a requestor to access a resource in the data processing system, 
shown as step 500 in Figure 5 and discussed on page 13, Hoes 16-18; 

• sending a first cookie to the requestor in response to the request, wherein the cookie is 
used to access the resource, shown as steps 502, 504 of Figure 5, discussed on page 13, 
line 19 through page 14, line 3; 

• storing an identification of the requestor and the first cookie to form a stored 
identificati on and a stored cooki e, wherein the identification of the requestor identifies a 
particular data processing system from which the request originated, shown as step 506 
of Figure 5, discu$$ed on page 14, lines 3-6; 

• responsive to receiving a second cookie from a source, comparing an identification of 
the source and the second cookie with the stored identification and the stored cookie to 
determine whether the second cookie contains the same information as the first cookie 
and whether the second cookie was received from the particular data processing system, 
shown as steps 600, 602 in Figure 6 and discussed on page 1.4, lines 10-13; and 

• responsive to a match between the identification of the source and the second cookie 
and the stored identification and the stored cookie, allowing access to the resource, 
shown as steps 604, 606 in Figure 6, discussed on page 14, lines 13-18 and page 4, lines 
15-18. 

B. CLAIM 17 - INDEPENDENT 

The subject matter of claim 17 is directed to a data processing system, shown in Figures 
1 and 2, which are discussed in the application from page 6, line 4 through page 9, lines 29. The 
data processing system comprises a cache and a cookie management process. The cookie cache is 
shown in Figure 4, discussed in the application on page 12, line 21 through page 13, line 13. The 
cookie management process i$ a device claim corresponding to independent method claim 1. 

C. CLAIM 21 - INDEPENDENT 

The subject matter of claim 21 is directed to a data processing system. This claim is a means plus 
function claim corresponding to independent method claim 1 . 
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D. CLAIM 37 INDEPENDENT 

The subject matter of claim 37 is directed to a computer program product and corresponds to 
independent claim 1. 
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GROUNDS OF REJECTION TO BE REVIEWED ON APPEAL 



A. GROUND OF REJECTION 1 (Claims 1^9, 17-29, and 37) 

Claims 1-9, 17-29, and 37 stand rejected under 35 U.S.C. § 103(a) as obvious over U.S. 
Patent 6,205,480 Bl to Broadhurst et al„ hereinafter Broadhurst. 

B. GROUND OF REJECTION 2 (Claim 18) 

Claim 18 stands rejected under 35 U.S,C § 103(a) as obvious over Broadhurst and 
Grantges, Jr. et a/., hereinafter Grantges. 
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ARGUMENT 



A* GROUND OF REJECTION 1 (Claims 1-9, 17-29, and 37) 

Representative claim 1 recites, 

1 . A method in a data processing $ystem for providing access to resources 
within the data processing system, the method comprising the data processing 
system implemented steps of: 

receiving a request from a requestor to access a resource in the data 
processing system; 

sending a first cookie to the requestor in response to the request, wherein 
the cookie is used to access the resource; 

storing an identification of the requestor and the first cookie to form a 
stored identificati on and a stored cookie, wherein the identification of the 
requestor identifies a particular data processing system from which the request 
originated; 

responsive to receiving a second cookie from a source, comparing an 
identification of the source and the second cookie with the stored identification 
and the stored cookie to determine whether the second cookie contains the 
same information as the first cookie and whether the second cookie was 
received from the particular data processing system; and 

responsive to a match between the identification of the source and the 
second cookie and the stored identification and the stored cookie, allowing 
access to the resource- 



Concerning this claim and related claims, the final office action states, 

In reference to claims 1, 21, and 37, Broadhurst discloses a system, 
method, and computer program product for processing data for providing 
access to resources within the data processing system (abstract), the method 
comprising the data processing system implemented steps of: 

Receiving a request from a requestor to access a resource in the data 
processing system (Fig.2 part 100). 

The system is responsive to receiving a second cookie from a source, 
comparing an identification of the source and the second cookie with the stored 
identification and the credentials to determine whether the second cookie 
contains the same information as the first cookie and whether the second 
cookie was received from the particular data processing system, and responsive 
to a match between the identification of the source and the second cookie and 
stored identification and the stored cookie, allowing access to the resource 
(Fig. 2, part 1 12 and 1 14 in combination with column 4 lines 42-60). The 
system allows access depending on the authentication information therefore 
responsive to a match between the identification of the source and the second 
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cookie and the stored identification and the stored credentials. 

Although Broadhurst does not expressly disclose storing the cookie, 
Broadhurst discusses storing the credentials that can be formed into a cookie 
(column 3, lines 41-48). The user's identity is used to form a network 
credential (column 4 lines 20-25). 1 

It is submitted that there are two main problems with this rejection: (1) Broadhurst does 

not disclose storing and comparing both an identification of the requestor and an associated 

cookie ; and (2) Broadhurst does not provide a motivation to modify this patent to store the 

cookie and identifier and to compare these to a received request in order to meet the claimed 

invention, 

(1) Broadhurst does not store and compare both an identification and a cookie 

Regarding an obviousness rejection, the Federal Circuit has noted the following, 

All limitations of the claimed invention must be considered when determining 
patentability. In re Lowry, 32 R3d 1579, 1582, 32 U.S.P.Q.2d 1031, 1034 (Fed 
Cir. 1994). 

In a proper obviousness determination, regardless of whether the changes from 
the prior art are "minor/ 1 the changes must be evaluated in terms of the whole 
invention, including whether the prior art provides any teaching or suggestion to 
one of ordinary skill in the art to make the changes that would produce the 
claimed invention. In re Chu, 66 F.3d 292, 298, 36 U.Si\Q.2d 1089, 1094 (Fed 
Cir.1995). 

It is submitted that Broadhurst does not store a copy of the cookie that is sent out; further 
this patent does not show saving the identification of the system to which a cookie is sent. It is 
noted that the drawings of Broadhurst are reproduced on the following page, while the cited 
sections of Broadhurst are reproduced here, 

For each user, the directory 16 stores information which allows the user's 
authentication information to be mapped into a network credential which 
includes a role of the user. The network credential can then be formed into a 
cookie. Once logged in and initially authenticated to the network, a user may 
freely access any of the applications allowed by the role. 2 

In step 104, it is determined whether the user already has a cookie containing a 
network credential. If there is not yet a user cookie, one is created in step 106 
by consulting the directory 16 to map the user's identity to an intermediate 
identity and a user role, which are used to form a network credential. 3 



1 Final office action of 10/21/04, page 3 

2 Broadhurst, column 3, lines 41-48 

3 Broadhurst, column 4, lines 20-25 
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In step 110, the user attempts access to a new application (a back-end 
application resident on the same host machine as the web server or an external 
application not resident on the same host machine as the web server) by 
inputting a request to the browser, which then attempts to access the requested 
resources* These additional resources may or may not be accessible to the user 
based on the user's assigned role. In step 112, the browser obtains 
authentication information, in the form of SV values necessary to access the 
back-end or external application, by accessing a script for single sign on stored 
with the web server, and transferring the cookie to the script. The script 
retrieves the script access variable for the back-end or external application 
based on the network credential (including the user role), and presents the S V 
values to the new application. Step 112 is performed automatically by the 
browser without any action required on the part of the user beyond presenting 
the request in step 108. In step 114, the desired application grants access based 
on the authentication information obtained in step 11 2. 4 
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As seen in the excerpts on the prior page and in 
Figure 2 here, Broadhurst creates a cookie from the 
user's identity, which is then given to the user. When 
the user requests access to a resource (application), 
the possession of a valid cookie provides all the 
information that is needed to gain access and the user 
is allowed to proceed. There is no need presented in 
Broadhurst to require more. Nor does Broadhurst 

appear to save this information, since the user has a copy to present to the 



ACCESS APPLICATION 



4 Broadhurst, column 4, lines 40-60 
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server as needed. 

In the instant application, the process does not stop with validation of the coolrie, a$ the 
following excerpt attests, noting, 

the secure cookie cache of the present invention also may prevent the use of a 
cookie by any other system other than the intended remote host. For example, 
if a cookie is intercepted by network "ease [sic] dropper" system it would be 
invalid for any system accept for the specific remote host to which the cookie 
was issued. Thus, the cookie matches, but the IP address does not match, the 
cookie is not accepted in these examples. 

Thus, the instant application requires that not only must the cookie be valid; it must also be 

presented by the system to which the cookie was sent. This i$ shown in the claims by the steps of 

"storing an identification of the requestor and the first cookie to form a stored identification and a 

stored cookie . . . comparing an identification of the source and the second cookie with the stored 

identification and the stored cookie to determine whether the second cookie contains the same 

information as the first cookie and whether the second cookie was received from the particular 

data processing system". 

It is submitted that neither the cited portions of Broadhurst nor the rest of the patent save 
a system identifier and an associated cookie, then compare both the cookie and system identifier 
with a requesting system and cookie. It is further submitted that this distinction is patentable, as it 
provides additional security that is not possible in the prior art. The Board of Appeals is 
requested to overturn the rejection of the claims represented by claim 1 . 
(2) Broadhurst does not provide a motivation to modify 

Regarding motivation in an obviousness rejection, the Federal Circuit notes, 

The mere fact that the prior art could be readily modified to arrive at the claimed 
invention does not render the claimed invention obvious; the prior art must 
suggest the desirability of such a modification. In re OchiaU 71 R3d 1565 1 570 
37 U.S.P.Q.2d 1127, 1131 (Fed. Cir. 1996); In re Gordon* 733 F.2d 900 903* 
221 U.S.P.Q. 1125, H27 (Fed. Cir. 1984). Merely stating that the modification 
would have been obvious to one of ordinary skill without identifying an incentive 
or motivation for making the proposed modification is insufficient to establish a 
prima facie case. 

It is submitted that the final rejection does not even appear to recognize that Broadhurst 
requires only a valid cookie for validation, while the instant application requires thai the cookie be 
both valid and presented by the system that was previously given the cookie. Broadhurst does not 
appear to mention the possibility that an external system could attempt to intercept a cookie and use 
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it to attack or gain information from the issuing computer system. In fact, Broadhurst notes, in one 
of the excerpts cited in the rejection, that "The present invention is particularly advantageous in an 
intranet environment." 5 It is noted that when working in an intranet, one is protected by firewalls 
from the malicious mischief present on the Internet; thus an application on an intranet would not 
need the added protection supplied by the instant application when saving and comparing both 
cookies and the system to which the cookies were sent. It is submitted that Broadhurst does not 
present any of the situations that would necessitate further protection. This patent does not appear to 
discuss the possible malicious use of cookies and appears perfectly content with the measures it has 
in place for security. 

Thus, Broadhurst does not provide any incentive or motivaton to modify this patent to 
meet the claimed limitations. The Board of Appeals is requested to overturn the present rejection. 

B. GROUND OF REJECTION 2 (Claim 18) 

Claim 18 is rejected over the combination of Broadhurst and Grantges. This claim is 
dependent on claim 1 7, which has been shown to be allowable above. Thus this claim is allowable 
simply for being dependent on an allowable claim. However, claim 18 recites further limitations 
that are not met by Grantges. Specifically, claim 18 recites, 

18. The data processing system of claim 17, wherein the requestor is a server. 

Regarding this claim, the rejection states, 

Grantges discloses a system that uses authentication cookies wherein the cookies 
are redirected by a server to the correct server therefore making the server the 
requestor on behalf of the web browser (column 1 1 line 63 to column 12 line 10). 

The cited section of Grantges reads, 

In step 124 s the incoming message is routed by gateway proxy server 40 to the 
particular destination server 28.sub.l, 28.sub.2, . . . , 28.sub.3 corresponding to 
the selected application. Gateway proxy server 40 includes a mapping or 
routing function responsive to the appended identifier 100, and configured to 
identify the appropriate d estination s erver 2 8. 1 dentifier 1 00 m ay b e o mitted 
from the message that is eventually routed through one of connections 58, 60, 
and 62, since its purpose (i.e., routing) has already been satisfied. It is 
important to note that the selected-application cookie 94 now contains the 
information as to the selected application. Thus, subsequent messages, which 
include cookie 94, may be routed to the appropriate destination server. The 
method then proceeds to step 1 1 6, wherein the method ends. 



5 Broadhurst, column 2, lines 47-48, in Summary of the Invention 

(Appeal Brief Page 13 of 23) 
Gordon et al. - 09/478,309 



PAGE 15125 1 RCVD AT 21112005 4:58:54 PM [Eastern Standard Time] ' SVR:USPT0-EFXRF-1/2 ' DNIS:8729306 * CSU):97238577ft ' DURATION (mm-s$):0648 



02/81/2005 15: 56 9723857766 



YEE & ASSOCIATES 



PAGE 16 



It is submitted that while the cited section of Grantges does show a gateway proxy server 
redirecting a message to a destination server, one of ordinary skill in the art would not interpret this 
as the proxy server becoming the "requestor", as the rejection suggests. Rather, the requestor would 
remain the enti ty that originated the request - in the case of Grantges, the browser. 

It is further submitted that a cookie is generally considered to be information that a server 
creates and gives to a browser. When the browser requests additional pages, the browser also 
presents the cookie to the server. In contrast, the instant application modifies this usual 
understanding, so that a cookie is given to a server , rather than to a browser. Thus, to have the 
requestor, who is required to present a cookie, be a server departs from the usual procedures. It is 
submitted that Grantges does not show this departure from the usual, but merely shows a proxy 
server forwarding messages. Thus, it is submitted that Grantges would not be seen as disclosing that 
the requestor is a server, as this would be understood by one of ordinary skill in the art The Board 
of Appeals is therefore requested to overturn the rejection of claim 18, 
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The Board of Appeals is requested to overturn the rejections of claims 1-9, 17-29, and 37 
and to allow this application to issue. 




Betty G. Fonftby 
Reg. No. 36,536 
Yee & Associates, P.C. 
PO Box 802333 
Dallas, TX 75380 
(972)385-8777 
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CLAIMS APPENDIX 

The text of the claims involved in the appeal arc: 

1 . A method in a data processing system for providing access to resources within the data 
processing system, the method comprising the data processing system implemented steps of: 

receiving a request from a requestor to access a resource in the data processing system; 

sending a first cookie to the requestor in response to the request, wherein the cookie is 
used to access the resource; 

storing an identification of the requestor and the first cookie to form a stored 
identification and a stored cookie, wherein the identification of the requestor identifies a 
particular data processing system from which the request originated; 

responsive to receiving a second cookie from a source, comparing an identification of the 
source and the second cookie with the stored identification and the stored cookie to determine 
whether the second cookie contains the same information as the first cookie and whether the 
second cookie was received from the particular data processing system; and 

responsive to a match between the identification of the source and the second cookie and 
the stored identification and the stored cookie, allowing access to the resource. 

2. The method of claim 1, wherein access to the resource is allowed by accepting the second 
cookie* 
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3. The method of claim 1 further comprising: 

responsive to an absence of a match between the identification of the source and the 
second cookie and the stored identification and the stored cookie, rejecting the second cookie. 

4. The method of claim 1, wherein the resource is a file and the first cookie identifies disk 
location of the file. 

5. The method of claim 1, wherein the source is a web server. 

6. The method of claim I, wherein the step of storing an identification of the source and the 
first cookie to form a stored identification and a stored cookie comprises: 

storing the identification of the source and the first cookie in a cache. 

7. The method of claim 6, wherein the identification is an Internet protocol address. 

8. The method of claim 1, wherein the steps of receiving, sending, storing, comparing, and 
allowing are performed in a browser. 

9. The method of claim 1, wherein the resource is a file having a path and further 
comprising: 

generating a disk location number ftom the path; and 
placing the disk location number into the first cookie. 
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17. A data processing system comprising: 
a cache; 

a cookie management process, wherein the cookie management process generates a 
cookie in response to receiving a request to access a resource within the data processing system 
from a requestor; sends the cookie to the requestor, stores the cookie and an identification of the 
requestor in the cache wherein the identifi cation of the requestor identifies a particular data 
processing system from which the request originated; responsive to being presented a received 
cookie from a source, compares the cookie and the identification of the requestor to the received 
cookie and the source to determine whether the received cookie contains the same information as 
the cookie sent to the requestor and whether the received cookie was received from the particular 
data processing system; and allows access to the resource in response to a match between the 
cookie and the identification of the requestor with the received cookie and the source. 

18. The data processing system of claim 17, wherein the requestor is a server. 

19. The data processing system of claim 1 7, wherein the resource is a file. 

20. The data processing system of claim 1 7, wherein the identification of the requestor and 
the identification of the source are Internet protocol addresses. 

21. A data processing system for providing access to resources within the data processing 
system, the data processing system comprising: 
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receiving means for receiving a request from a requestor to access a resource in the data 
processing system; 

sending means for sending a first cookie to the requestor, wherein the first cookie is used 
to access the resource; 

storing means for storing an identification of the requestor and the first cookie to foim a 
stored identification and a stored cookie, wherein the identification of the requestor identifies a 
particular data processing system from which the request originated; 

comparing means, responsive to receiving a second cookie from a source, for comparing 
an identification of the source and the second cookie with the stored identification and the stored 
cookie to determine whether the second cookie contains the same information as the first cookie 
and whether the second cookie was received from the particular data processing system; and 

allowing means, responsive to a match between the identification of the source and the 
second cookie and the stored identification and the stored cookie, for allowing access to the 
resource. 

22. The data processing system of claim 2 J , wherein access to the resource is allowed by 
accepting the second cookie. 

23 . The data processing system of claim 2 1 further comprising: 

rejecting means, responsive to an absence of a match between the identification of the 
source and the second cookie and the stored identification and the stored cookie, for rejecting the 
second cookie. 
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24. The data processing system of claim 21 , wherein the resource is a file and the first cookie 
identifies disk location of the file. 

25. The data processing system of claim 21, wherein the source is a web server. 

26. The data processing system of claim 21 ? wherein the storing means for storing an 
identification of the source and the first cookie to form a stored identification and a stored cookie 
comprises: 

storing means for storing the identification of the source and the first cookie in a cache. 

27. The data processing system of claim 26, wherein the identification is an Internet protocol 
address. 

28. The data processing system of claim 2 1 , wherein the receiving means, sending means, 
storing means, comparing means, and allowing means are performed in a browser. 

29. The data processing system of claim 2 1 , wherein the resource is a file having a path and 
further comprising: 

generating means for generating a disk location number from the path; and 
placing means for placing the disk location number into the first cookie. 
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37. A computer program product in a computer readable medium for providing access to 
resources within the data processing system, the computer program product comprising: 

first instructions for receiving a request from a requestor to access a resource in the data 
processing system; 

second instructions for sending a first cookie to the requestor, wherein the first cookie is 
used to access the resource; 

third instructions for storing an identification of the requestor and the first cookie to form 
a stored identification and a stored cookie, wherein the identification of the requestor identifies a 
particular data processing system from which the request originated; 

fourth instructions, responsive to receiving a second cookie from a source, for comparing 
an identification of the source and the second cookie with the stored identification and the stored 
cookie to determine whether the second cookie contains the same information as the first cookie 
and whether the second cookie was received from the particular data processing system; and 

fifth instructions, responsive to a match between the identification of the source and the 
second cookie and the stored identification and the stored cookie, for allowing access to the 



resource. 
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EVIDENCE APPKNHTY 

There is do evidence to be presented. 
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RELATED PROCFF niNGS APPENHTY 

There are no related proceedings. 
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